Vulnerability Reporting Delays by China

According to an information security firm, China is attempting to cover up inexplicable delays in public reporting of high-risk software security holes by changing the dates of vulnerability publication to its national vulnerability database so they match those in the U.S. database.

A previous investigation, in November, discovered that China is finding and disclosing information on software security holes faster than the United States, except when those vulnerabilities are high risk and might be used in targeted attacks.

Now the information security firm Recorded Future has discovered that China National Vulnerability Database (CNNVD) altered the original publication dates for at least 267 vulnerabilities in its research published in November 2017. The information security training expert said it expects the changes were made to conceal evidence it revealed in its previous report.

China’s National Vulnerability Database has a website but appears to be separate from the China’s Ministry of State Security MSS, the firm said in previous research. MSS is akin to the US Central Intelligence Agency. Unlike the CIA, however, MSS is not just a foreign intelligence service, but it also has a large, and arguably more important domestic intelligence mandate.

Recognizing the importance of the domestic mission is key to understanding why the MSS would manipulate data that is primarily consumed by Chinese or regional users. In other words, China is in no hurry to publish information about serious vulnerabilities because it wants to give MSS time to evaluate how the government might use them in offensive cyber operations. “CNNVD’s outright manipulation of these dates implicitly confirmed this assessment,” the firm said.

Now it seems China also is trying to cover its tracks and hide its intent. The dates changed in the CNNVD were for vulnerabilities that the U.S. NVD had reported in six days and the CNNVD took more than twice as long as its average of 13 days to report. Information security training analysts first noticed the discrepancies between publication dates in two Microsoft Office security holes identified as outliers in its November report.

“The initial CNNVD publication dates for the two vulnerabilities had been backdated to match NVD and erase the publication lag,” the information security firm said in its report. Screenshots of the vulnerabilities records from November and February, respectively, are provided in the report, highlighting the date alteration.

The information security firm found that 267 of the 268 CNNVD original publication dates had been altered since November 17. Moreover, each date was changed post-publication to approximate or beat publication date in the U.S. vulnerability database.

“What we found was that CNNVD had changed the publication date to hide the publication lag,” information security training professional Moriuchi said.”This would hide the evidence of (Ministry of State Security) influence and any other processes that would create the publication lag in the first place and it would limit the methods we were using and any other organizations would use to anticipate Chinese APT behavior.”

The firm identified 74 new outlier vulnerabilities, published between September 13 and November 16, 71 of which “were backdated and the publication lags erased,” researchers said.

From a public service and transparency perspective, there could be larger liability issues for companies and institutions that rely solely on CNNVD data, researchers said. “If a company is victimized by an exploit for a vulnerability during the altered period of time, unless they kept a historical record of all CNNVD initial report dates, they could face questions about why they did not remediate a vulnerability for which they did not know about,” according to the firm report.

Additionally, China recently instituted a Cybersecurity Law (CSL) mandating that companies operating in China adopt a “tiered system of network security protections,” information security training researchers said. The law allows the state to hold companies both legally and financially responsible for what officials deem a “network security incident.”

In light of the activity uncovered by Recorded Future, for a foreign multinational company to comply with all the provisions of the CSL could mean that it may at the same time violate Western laws or regulations against cooperating with Chinese security and intelligence services.

Moriuchi said that the more worrying issue is China’s willingness to cloud or distort information to serve its ends. After all, vulnerabilities published on the US NVD or China’s CNNVD have already been publicly disclosed. That means they are unlike so-called vulnerability “equities”: undisclosed software vulnerabilities that state intelligence agencies discover (or purchase) and may keep secret for use in offensive cyber operations.